Users neglect Java patches, leave attack door wide open

Oracle should piggyback on Microsoft's update service to boost users' chances of running a patched version of Java, a security expert said today.

"The solution would be to get rid of all these different update engines, and instead for companies like Oracle to collaborate with Microsoft to use Windows Update or WSUS to distribute fixes for Java," said Wolfgang Kandek, CTO at Qualys.

WSUS, or Windows Server Update Services, is the business-grade update mechanism that most companies rely on to distribute Windows and other Microsoft software patches.

According to data mined from Qualys' free BrowserCheck service, eight in 10 Windows PCs run one or more copies of Java, making Oracle's software just as popular as Adobe's Reader but behind Flash.

Of the systems with Java, more than 40 per cent were running an outdated version that contained at least one critical vulnerability, Kandek said. That puts Java at the top of the unpatched list. Even Adobe's Reader and Flash, which have gained reputations as criminals' preferred targets , are more likely to be up-to-date.

"Malware operators are always looking for new ways to allow their programs to take control over machines," said Kandek. "But the operating system has become increasingly difficult to attack, so exploit writers have focused their attention on critical vulnerabilities in third-party applications."

Kandek's spotlight on Java was no surprise: Earlier this week, Microsoft 's anti-malware team said an "unprecedented wave" of attacks was exploiting long-patched Java bugs. More than 3.5 million of the more than 6 million attacks in the first nine months of 2010, for instance, tried to exploit a Java Runtime Environment (JRE) flaw patched nearly two years ago.

"While the first wave of these exploits focused on Windows Office and the second wave on Adobe Reader and Flash, we're now seeing an increased attention on Java," Kandek said. Oracle 's software meets hackers' requirements: It's widely installed, it contains a number of well-known bugs and it's largely been ignored by IT staffers responsible for patching their organization's PCs.

While he acknowledged that the idea that Microsoft would distribute Java updates was a long shot, he thought it was worth considering. "The benefit is so big that if they could work together, it would result in a more robust [Windows] client," Kandek said.

Java has an update service of its own, but it's been criticized for being slow to notify users, and for allowing multiple editions to exist on a PC, leaving users vulnerable even if they've recently patched.

There is a precedent for Kandek's proposal. Apple , for example, distributes Java security patches to Mac OS X users via its own update process. The problem there, however, is that Apple has historically patched Java on the Mac months after the fixes were posted by Sun, Java's maker and the company Oracle acquired earlier this year.

Qualys' BrowserCheck scans Windows and Mac machines for vulnerable browsers or plug-ins, including Flash, Java, Apple's QuickTime and Reader. Danish vulnerability tracker Secunia offers a similar tool, dubbed Personal Software Inspector , that checks a much larger number of plug-ins and programs for outdated versions.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.